• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

Static route between two tunnels on internet side of their routers?

Started by bombcar, January 25, 2010, 08:10:09 PM

Previous topic - Next topic

bombcar

I have a m0n0wall router that uses one HE tunnel. It works great.

I have a Gentoo box that is alongside the router (not behind it); it has its own tunnel and it also works great.

However, when I go via IPv6 from my network behind the m0n0wall router to my Gentoo server, I travel down the tunnel over the internet.

It seems to me I should be able to add a static route somehow to make it shortcut, but I'm not sure how to do it.

Would it be as simple as adding the other tunnel's /64 to each side as being on the WAN port directly?

jimb

Is there a direct link between the two?  Or are they on separate internet connections?  If the latter, you could set up a 6in4 between them directly and statically route the /64s over that link.

It's hard to say w/o more details on your network.  Are you running separate IPv6 space on the same LAN?  If that's the case it's as easy as adding an IPv6 address from each's respective /64 onto the LAN interface, and voila, they each have direct connectivity to each-other plus routes to each-others /64s.  If you want to also get to the 6in4 interface address directly, a simple static route would suffice.

bombcar

I have 4 "real" IPv4 IPs from Speakeasy - so their DSL modem is connected to my boring switch. The x.5 address is my m0n0wall router, plugged into that switch. The x.254 address is my Gentoo server, plugged in the same switch.

The m0n0wall hands out IPv6 addresses behind it to the 10.x LAN. The Gentoo server squats on a /64 all by itself.

QuoteIf that's the case it's as easy as adding an IPv6 address from each's respective /64 onto the LAN interface, and voila, they each have direct connectivity to each-other plus routes to each-others /64s.

This would seem to be what I need to do, but I need to make sure it won't kill the connection, especially as the Gentoo box doesn't have an IPv6 address on eth0 (besides the link local one), only on sit1.

jimb

Quote from: bombcar on January 25, 2010, 09:51:24 PM
I have 4 "real" IPv4 IPs from Speakeasy - so their DSL modem is connected to my boring switch. The x.5 address is my m0n0wall router, plugged into that switch. The x.254 address is my Gentoo server, plugged in the same switch.

The m0n0wall hands out IPv6 addresses behind it to the 10.x LAN. The Gentoo server squats on a /64 all by itself.

QuoteIf that's the case it's as easy as adding an IPv6 address from each's respective /64 onto the LAN interface, and voila, they each have direct connectivity to each-other plus routes to each-others /64s.

This would seem to be what I need to do, but I need to make sure it won't kill the connection, especially as the Gentoo box doesn't have an IPv6 address on eth0 (besides the link local one), only on sit1.
Right.  I have statics myself too.

Are you opposed to putting one of the /64s from the m0n0wall tunnel block on the gentoo's LAN interface?  If not, you could do that and just add a static /128 route for the gentoo box's tunnel interface address, and on the gentoo box, it'd have a connected route to the /64, and you could add a similar /128 route for the m0n0wall's tunnel interface address if you wish.  Then traffic would cross your LAN instead of the internet.

If you're opposed to doing that, you could add the statics through the link local addresses of their respective LAN interfaces.  You'd have to specify the interface in the route command of course.

bombcar

Quote
Are you opposed to putting one of the /64s from the m0n0wall tunnel block on the gentoo's LAN interface?  If not, you could do that and just add a static /128 route for the gentoo box's tunnel interface address, and on the gentoo box, it'd have a connected route to the /64, and you could add a similar /128 route for the m0n0wall's tunnel interface address if you wish.  Then traffic would cross your LAN instead of the internet.

I tried this using:

ifconfig eth0 add 2001:x:x:x::4/64

It seemed to do something, but broke reverse communication somehow. Do I need to add something on the m0n0wall box? I'm trying to add a /128 static route, but it wants a gateway.

bombcar

I get:

From 2001:x:x:x::4 icmp_seq=1 Destination unreachable: Port unreachable
From 2001:x:x:x::4 icmp_seq=1 Destination unreachable: Port unreachable


when I run the route add command and try to ping6 the other side.

jimb

For the gentoo to get to the routed /64, you add an address from the routed /64 to the LAN interface of the gentoo box.  It shouldn't break anything.

For the m0n0wall to get to the tunnel ipv6 of the gentoo box, you would have to add a host route to the m0n0wall box, with the gateway being the IPv6 you added to the LAN interface of the gentoo box.  You also need to make sure IPv6 forwarding is turned on (sysctl -w net.ipv6.conf.all.forwarding=1).

For the gentoo box to get to the m0n0wall tunnel interface, you need to add a host route to gentoo box with the gateway being the LAN interface of the m0n0wall box.  You will also likely have to adjust the m0n0wall security policy to allow this traffic.

Also, why are you running two tunnels to two boxes?  You could put the gentoo box on the LAN and simply run a routed /64 address on the LAN interface.

bombcar

That would be an option, but it would require redoing the entire IPv4 setup, which I'm not yet certain I want to do. It may be the "route" I end up taking, however.

bombcar

It looks like I cannot add additional IPv6 addresses to the WAN side of the m0n0wall router, so I cannot do this.

I guess it's time to look at moving the machine into the network or onto a DMZ.

jimb


bombcar

Would that work? The LAN side isn't physically connected to the WAN cable which is connected to the switch the Gentoo box is on ...

I think I'm going to have to draw a diagram.

bombcar

AUGH!

It was shorewall! I forgot to tell it that eth0 was part of the net (it was just looking at sit1)!

Now it works, all is happy, I am happy.